Dieser Inhalt ist in der von Ihnen ausgewählten Sprache nicht verfügbar.
Chapter 2. Installing Capsule Server
Before you install Capsule Server, you must ensure that your environment meets the requirements for installation. For more information, see Preparing your Environment for Installation.
2.1. Registering to Satellite Server
Use this procedure to register the base operating system on which you want to install Capsule Server to Satellite Server.
Red Hat subscription manifest prerequisites
- On Satellite Server, a manifest must be installed and it must contain the appropriate repositories for the organization you want Capsule to belong to.
- The manifest must contain repositories for the base operating system on which you want to install Capsule, as well as any clients that you want to connect to Capsule.
- The repositories must be synchronized.
For more information on manifests and repositories, see Managing Red Hat Subscriptions in Managing content.
Proxy and network prerequisites
- The Satellite Server base operating system must be able to resolve the host name of the Capsule base operating system and vice versa.
- Ensure HTTPS connection using client certificate authentication is possible between Capsule Server and Satellite Server. HTTP proxies between Capsule Server and Satellite Server are not supported.
- You must configure the host and network-based firewalls accordingly. For more information, see Port and firewall requirements in Installing Capsule Server. You can register hosts with Satellite using the host registration feature in the Satellite web UI, Hammer CLI, or the Satellite API. For more information, see Registering hosts and setting up host integration in Managing hosts.
Procedure
- In the Satellite web UI, navigate to Hosts > Register Host.
- From the Activation Keys list, select the activation keys to assign to your host.
- Click Generate to create the registration command.
- Click on the files icon to copy the command to your clipboard.
- Connect to your host using SSH and run the registration command.
-
Check the
/etc/yum.repos.d/redhat.repo
file and ensure that the appropriate repositories have been enabled.
CLI procedure
Generate the host registration command using the Hammer CLI:
# hammer host-registration generate-command \ --activation-keys "My_Activation_Key"
If your hosts do not trust the SSL certificate of Satellite Server, you can disable SSL validation by adding the
--insecure
flag to the registration command.# hammer host-registration generate-command \ --activation-keys "My_Activation_Key" \ --insecure true
- Connect to your host using SSH and run the registration command.
-
Check the
/etc/yum.repos.d/redhat.repo
file and ensure that the appropriate repositories have been enabled.
API procedure
Generate the host registration command using the Satellite API:
# curl -X POST https://satellite.example.com/api/registration_commands \ --user "My_User_Name" \ -H 'Content-Type: application/json' \ -d '{ "registration_command": { "activation_keys": ["My_Activation_Key_1, My_Activation_Key_2"] }}'
If your hosts do not trust the SSL certificate of Satellite Server, you can disable SSL validation by adding the
--insecure
flag to the registration command.# curl -X POST https://satellite.example.com/api/registration_commands \ --user "My_User_Name" \ -H 'Content-Type: application/json' \ -d '{ "registration_command": { "activation_keys": ["My_Activation_Key_1, My_Activation_Key_2"], "insecure": true }}'
Use an activation key to simplify specifying the environments. For more information, see Managing Activation Keys in Managing content.
To enter a password as a command line argument, use
username:password
syntax. Keep in mind this can save the password in the shell history. Alternatively, you can use a temporary personal access token instead of a password. To generate a token in the Satellite web UI, navigate to My Account > Personal Access Tokens.- Connect to your host using SSH and run the registration command.
-
Check the
/etc/yum.repos.d/redhat.repo
file and ensure that the appropriate repositories have been enabled.
2.2. Configuring repositories
Prerequisite
- If you are installing Capsule Server as a virtual machine hosted on Red Hat Virtualization, you must also enable the Red Hat Common repository and then install Red Hat Virtualization guest agents and drivers. For more information, see Installing the Guest Agents and Drivers on Red Hat Enterprise Linux in the Virtual Machine Management Guide.
Procedure
Select the operating system and version you are installing on:
2.2.1. Red Hat Enterprise Linux 9
Disable all repositories:
# subscription-manager repos --disable "*"
Enable the following repositories:
# subscription-manager repos \ --enable=rhel-9-for-x86_64-baseos-rpms \ --enable=rhel-9-for-x86_64-appstream-rpms \ --enable=satellite-capsule-6.16-for-rhel-9-x86_64-rpms \ --enable=satellite-maintenance-6.16-for-rhel-9-x86_64-rpms
Verification
Verify that the required repositories are enabled:
# dnf repolist enabled
2.2.2. Red Hat Enterprise Linux 8
Disable all repositories:
# subscription-manager repos --disable "*"
Enable the following repositories:
# subscription-manager repos \ --enable=rhel-8-for-x86_64-baseos-rpms \ --enable=rhel-8-for-x86_64-appstream-rpms \ --enable=satellite-capsule-6.16-for-rhel-8-x86_64-rpms \ --enable=satellite-maintenance-6.16-for-rhel-8-x86_64-rpms
Enable the module:
# dnf module enable satellite-capsule:el8
Verification
Verify that the required repositories are enabled:
# dnf repolist enabled
Additional Resources
-
If there is any warning about conflicts with Ruby or PostgreSQL while enabling
satellite-capsule:el8
module, see Troubleshooting DNF modules. - For more information about modules and lifecycle streams on Red Hat Enterprise Linux 8, see Red Hat Enterprise Linux 8 Application Streams Lifecycle.
2.3. Optional: Using fapolicyd on Capsule Server
By enabling fapolicyd
on your Satellite Server, you can provide an additional layer of security by monitoring and controlling access to files and directories. The fapolicyd daemon uses the RPM database as a repository of trusted binaries and scripts.
You can turn on or off the fapolicyd on your Satellite Server or Capsule Server at any point.
2.3.1. Installing fapolicyd on Capsule Server
You can install fapolicyd
along with Capsule Server or can be installed on an existing Capsule Server. If you are installing fapolicyd
along with the new Capsule Server, the installation process will detect the fapolicyd in your Red Hat Enterprise Linux host and deploy the Capsule Server rules automatically.
Prerequisites
- Ensure your host has access to the BaseOS repositories of Red Hat Enterprise Linux.
Procedure
For a new installation, install fapolicyd:
# dnf install fapolicyd
For an existing installation, install fapolicyd using satellite-maintain packages install:
# satellite-maintain packages install fapolicyd
Start the
fapolicyd
service:# systemctl enable --now fapolicyd
Verification
Verify that the
fapolicyd
service is running correctly:# systemctl status fapolicyd
New Satellite Server or Capsule Server installations
In case of new Satellite Server or Capsule Server installation, follow the standard installation procedures after installing and enabling fapolicyd on your Red Hat Enterprise Linux host.
Additional resources
For more information on fapolicyd, see Blocking and allowing applications using fapolicyd in Red Hat Enterprise Linux 9 Security hardening or Blocking and allowing applications using fapolicyd in Red Hat Enterprise Linux 8 Security hardening.
2.4. Installing Capsule Server packages
Before installing Capsule Server packages, you must update all packages that are installed on the base operating system.
Procedure
To install Capsule Server, complete the following steps:
Update all packages:
# dnf upgrade
Install the Satellite Server packages:
# dnf install satellite-capsule
2.5. Configuring Capsule Server with SSL certificates
Red Hat Satellite uses SSL certificates to enable encrypted communications between Satellite Server, external Capsule Servers, and all hosts. Depending on the requirements of your organization, you must configure your Capsule Server with a default or custom certificate.
- If you use a default SSL certificate, you must also configure each external Capsule Server with a distinct default SSL certificate. For more information, see Section 2.5.1, “Configuring Capsule Server with a default SSL certificate”.
- If you use a custom SSL certificate, you must also configure each external Capsule Server with a distinct custom SSL certificate. For more information, see Section 2.5.2, “Configuring Capsule Server with a custom SSL certificate”.
2.5.1. Configuring Capsule Server with a default SSL certificate
Use this section to configure Capsule Server with an SSL certificate that is signed by Satellite Server default Certificate Authority (CA).
Prerequisites
- Capsule Server is registered to Satellite Server. For more information, see Section 2.1, “Registering to Satellite Server”.
- Capsule Server packages are installed. For more information, see Section 2.4, “Installing Capsule Server packages”.
Procedure
On Satellite Server, to store all the source certificate files for your Capsule Server, create a directory that is accessible only to the
root
user, for example/root/capsule_cert
:# mkdir /root/capsule_cert
On Satellite Server, generate the
/root/capsule_cert/capsule.example.com-certs.tar
certificate archive for your Capsule Server:# capsule-certs-generate \ --foreman-proxy-fqdn capsule.example.com \ --certs-tar /root/capsule_cert/capsule.example.com-certs.tar
Retain a copy of the
satellite-installer
command that thecapsule-certs-generate
command returns for deploying the certificate to your Capsule Server.Example output of
capsule-certs-generate
output omitted satellite-installer --scenario capsule \ --certs-tar-file "/root/capsule_cert/capsule.example.com-certs.tar" \ --foreman-proxy-register-in-foreman "true" \ --foreman-proxy-foreman-base-url "https://satellite.example.com" \ --foreman-proxy-trusted-hosts "satellite.example.com" \ --foreman-proxy-trusted-hosts "capsule.example.com" \ --foreman-proxy-oauth-consumer-key "s97QxvUAgFNAQZNGg4F9zLq2biDsxM7f" \ --foreman-proxy-oauth-consumer-secret "6bpzAdMpRAfYaVZtaepYetomgBVQ6ehY"
On Satellite Server, copy the certificate archive file to your Capsule Server:
# scp /root/capsule_cert/capsule.example.com-certs.tar \ root@capsule.example.com:/root/capsule.example.com-certs.tar
On Capsule Server, to deploy the certificate, enter the
satellite-installer
command that thecapsule-certs-generate
command returns.When network connections or ports to Satellite are not yet open, you can set the
--foreman-proxy-register-in-foreman
option tofalse
to prevent Capsule from attempting to connect to Satellite and reporting errors. Run the installer again with this option set totrue
when the network and firewalls are correctly configured.ImportantDo not delete the certificate archive file after you deploy the certificate. It is required, for example, when upgrading Capsule Server.
2.5.2. Configuring Capsule Server with a custom SSL certificate
If you configure Satellite Server to use a custom SSL certificate, you must also configure each of your external Capsule Servers with a distinct custom SSL certificate.
To configure your Capsule Server with a custom certificate, complete the following procedures on each Capsule Server:
2.5.2.1. Creating a custom SSL certificate for Capsule Server
On Satellite Server, create a custom certificate for your Capsule Server. If you already have a custom SSL certificate for Capsule Server, skip this procedure.
Procedure
To store all the source certificate files, create a directory that is accessible only to the
root
user:# mkdir /root/capsule_cert
Create a private key with which to sign the certificate signing request (CSR).
Note that the private key must be unencrypted. If you use a password-protected private key, remove the private key password.
If you already have a private key for this Capsule Server, skip this step.
# openssl genrsa -out
/root/capsule_cert/capsule_cert_key.pem
4096Create the
/root/capsule_cert/openssl.cnf
configuration file for the CSR and include the following content:[ req ] req_extensions = v3_req distinguished_name = req_distinguished_name prompt = no [ req_distinguished_name ] commonName = capsule.example.com [ v3_req ] basicConstraints = CA:FALSE keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth, clientAuth, codeSigning, emailProtection subjectAltName = @alt_names [ alt_names ] DNS.1 = capsule.example.com
Optional: If you want to add Distinguished Name (DN) details to the CSR, add the following information to the
[ req_distinguished_name ]
section:[req_distinguished_name] CN = capsule.example.com countryName =My_Country_Name 1 stateOrProvinceName = My_State_Or_Province_Name 2 localityName = My_Locality_Name 3 organizationName = My_Organization_Or_Company_Name organizationalUnitName = My_Organizational_Unit_Name 4
Generate CSR:
# openssl req -new \ -key /root/capsule_cert/capsule_cert_key.pem \ 1 -config /root/capsule_cert/openssl.cnf \ 2 -out /root/capsule_cert/capsule_cert_csr.pem 3
Send the certificate signing request to the certificate authority (CA). The same CA must sign certificates for Satellite Server and Capsule Server.
When you submit the request, specify the lifespan of the certificate. The method for sending the certificate request varies, so consult the CA for the preferred method. In response to the request, you can expect to receive a CA bundle and a signed certificate, in separate files.
2.5.2.2. Deploying a custom SSL certificate to Capsule Server
Use this procedure to configure your Capsule Server with a custom SSL certificate signed by a Certificate Authority. The satellite-installer
command, which the capsule-certs-generate
command returns, is unique to each Capsule Server. Do not use the same command on more than one Capsule Server.
Prerequisites
- Satellite Server is configured with a custom certificate. For more information, see Configuring Satellite Server with a Custom SSL Certificate in Installing Satellite Server in a connected network environment.
- Capsule Server is registered to Satellite Server. For more information, see Section 2.1, “Registering to Satellite Server”.
- Capsule Server packages are installed. For more information, see Section 2.4, “Installing Capsule Server packages”.
Procedure
On your Satellite Server, generate a certificate bundle:
# capsule-certs-generate \ --foreman-proxy-fqdn capsule.example.com \ --certs-tar ~/capsule.example.com-certs.tar \ --server-cert /root/capsule_cert/capsule_cert.pem \ 1 --server-key /root/capsule_cert/capsule_cert_key.pem \ 2 --server-ca-cert /root/capsule_cert/ca_cert_bundle.pem 3
Retain a copy of the
satellite-installer
command that thecapsule-certs-generate
command returns for deploying the certificate to your Capsule Server.Example output of
capsule-certs-generate
output omitted satellite-installer --scenario capsule \ --certs-tar-file "/root/capsule.example.com-certs.tar" \ --foreman-proxy-register-in-foreman "true" \ --foreman-proxy-foreman-base-url "https://satellite.example.com" \ --foreman-proxy-trusted-hosts "satellite.example.com" \ --foreman-proxy-trusted-hosts "capsule.example.com" \ --foreman-proxy-oauth-consumer-key "My_OAuth_Consumer_Key" \ --foreman-proxy-oauth-consumer-secret "My_OAuth_Consumer_Secret"
On your Satellite Server, copy the certificate archive file to your Capsule Server:
# scp ~/capsule.example.com-certs.tar \ root@capsule.example.com:/root/capsule.example.com-certs.tar
On your Capsule Server, to deploy the certificate, enter the
satellite-installer
command that thecapsule-certs-generate
command returns.If network connections or ports to Satellite are not yet open, you can set the
--foreman-proxy-register-in-foreman
option tofalse
to prevent Capsule from attempting to connect to Satellite and reporting errors. Run the installer again with this option set totrue
when the network and firewalls are correctly configured.ImportantDo not delete the certificate archive file after you deploy the certificate. It is required, for example, when upgrading Capsule Server.
2.5.2.3. Deploying a custom SSL certificate to hosts
After you configure Satellite to use a custom SSL certificate, you must deploy the certificate to hosts registered to Satellite.
Procedure
Update the SSL certificate on each host:
# dnf install http://capsule.example.com/pub/katello-ca-consumer-latest.noarch.rpm
2.6. Resetting custom SSL certificate to default self-signed certificate on Capsule Server
To reset the custom SSL certificate to default self-signed certificate on your Capsule Server, you must re-register your Capsule Server through Global Registration. For more information, see Registering hosts by using global registration in Managing hosts.
Verification
- In the Satellite web UI, navigate to Infrastructure > Capsules and select any Capsule Server.
- On the Overview tab, click Refresh features.
Additional Resources
- Reset custom SSL certificate to default self-signed certificate on Satellite Server in Installing Satellite Server in a connected network environment.
- Reset custom SSL certificate to default self-signed certificate on hosts in Managing hosts.
2.7. Assigning the correct organization and location to Capsule Server in the Satellite web UI
After installing Capsule Server packages, if there is more than one organization or location, you must assign the correct organization and location to Capsule to make Capsule visible in the Satellite web UI.
Assigning a Capsule to the same location as your Satellite Server with an embedded Capsule prevents Red Hat Insights from uploading the Insights inventory. To enable the inventory upload, synchronize SSH keys for both Capsules.
Procedure
- Log into the Satellite web UI.
- From the Organization list in the upper-left of the screen, select Any Organization.
- From the Location list in the upper-left of the screen, select Any Location.
- In the Satellite web UI, navigate to Hosts > All Hosts and select Capsule Server.
- From the Select Actions list, select Assign Organization.
- From the Organization list, select the organization where you want to assign this Capsule.
- Click Fix Organization on Mismatch.
- Click Submit.
- Select Capsule Server. From the Select Actions list, select Assign Location.
- From the Location list, select the location where you want to assign this Capsule.
- Click Fix Location on Mismatch.
- Click Submit.
- In the Satellite web UI, navigate to Administer > Organizations and click the organization to which you have assigned Capsule.
- Click Capsules tab and ensure that Capsule Server is listed under the Selected items list, then click Submit.
- In the Satellite web UI, navigate to Administer > Locations and click the location to which you have assigned Capsule.
- Click Capsules tab and ensure that Capsule Server is listed under the Selected items list, then click Submit.
Verification
Optionally, you can verify if Capsule Server is correctly listed in the Satellite web UI.
- Select the organization from the Organization list.
- Select the location from the Location list.
- In the Satellite web UI, navigate to Hosts > All Hosts.
- In the Satellite web UI, navigate to Infrastructure > Capsules.